IPA/ISEC：Vulnerabilities：JVN iPedia Registration Status for 2010 1Q

~High number of access to 登ld� vulnerability information remarkable~

May 10, 2010
>> JAPANESE

1. Overview of 2010 1Q

Vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used within the country of Japan is gathered. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN^(*1), a vulnerability information portal site, and (3) NVD^(*2), a vulnerability information database run by NIST^(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1.1 Vulnerabilities registered in 2010 1Q

~The number of vulnerability countermeasure information registered in JVN iPedia surpassed 8,000~

The vulnerability countermeasure information registered to the Japanese version of JVN iPedia reached the cumulative total of over 8,000 in the 1st quarter of 2010 (January 1, 2010 to March 31, 2010). Those gathered from domestic developers were 3 cases (cumulative of 88 cases from the launch of JVN iPedia), 26 cases were gathered from JVN (750 cumulative cases), and 333 cases from NVD (7,170 cumulative cases), bringing a quarterly total to 362 cases (8,008 cumulative cases) (Table 1, Figure 1).

As for the English version of JVN iPedia, 3 cases were gathered from domestic developers (88 cumulative cases) and 8 from JVN (421 cumulative cases), making a quarterly total of 11 cases (509 cumulative cases).

Table 1. Registered Vulnerabilities in 1st Quarter of 2010

 

1.2 Most Accessed Vulnerability Countermeasure Information during April 2009 and March 2010

~Old, highly risky vulnerabilities still on the loose~

Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during April 2009 and March 2010. Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, OpenSSL and Apache Tomcat, are still gaining a lot of attention.

Focusing on their published year, 3 vulnerabilities ranked in the top 20 were published in 2007, and 8 in 2008 and 9 in 2009. Among the top 10, 9 out of 10 vulnerabilities are those published in 2008 and before. From the severity aspect, measured in Common Vulnerability Scoring System (CVSS)^(*4), 85 percent are those labeled the severity level^(*5) ll (Medium) or III (High). Old vulnerabilities’ high profile suggests that there are a number of servers and personal computers still vulnerable to them out there. Website and system administrators are urged to check their IT systems for old vulnerabilities once again and take proper measures if they find unpatched ones.

Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Apr. 2009 � Mar. 2010]

#	ID	Title	Access Count	CVSS Score	Date Public
1	JVNDB-2008-001495	DNS cache poisoning vulnerability in multiple DNS products (in Japanese)	6,542	6.4	2008/7/23
2	JVNDB-2005-000601	OpenSSL version rollback vulnerability	4,328	2.6	2007/4/1
3	JVNDB-2008-000009	Apache Tomcat fails to properly handle cookie value	3,892	4.3	2008/2/12
4	JVNDB-2008-000050	Virus Security and Virus Security ZERO denial of service (DoS) vulnerability	3,884	4.3	2008/8/12
5	JVNDB-2009-000010	Apache Tomcat information disclosure vulnerability	3,338	2.6	2009/2/26
6	JVNDB-2008-001647	Jasmine WebLink Template Multiple Vulnerabilities	3,117	7.5	2008/9/10
7	JVNDB-2007-001017	Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese)	3,117	4.3	2007/12/20
8	JVNDB-2008-000022	Lhaplus buffer overflow vulnerability	3,081	6.8	2008/4/28
9	JVNDB-2008-000018	Namazu cross-site scripting vulnerability	3,021	4.3	2008/3/21
10	JVNDB-2008-001043	X.Org Foundation X server buffer overflow vulnerability	2,908	7.4	2008/1/31
11	JVNDB-2008-000084	PHP vulnerable to cross-site scripting	2,851	2.6	2008/12/19
12	JVNDB-2007-000819	Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap"	2,794	4.3	2007/12/13
13	JVNDB-2009-000037	Apache Tomcat denial of service (DoS) vulnerability	2,790	4.3	2009/6/18
14	JVNDB-2009-000040	iPhone OS denial of service (DoS) vulnerability	2,725	7.8	2009/6/18
15	JVNDB-2009-000036	Apache Tomcat information disclosure vulnerability	2,686	4.3	2009/6/18
16	JVNDB-2009-000032	Directory traversal vulnerability in multiple Cisco Systems products	2,677	10.0	2009/5/29
17	JVNDB-2009-000018	Ichitaro series buffer overflow vulnerability	2,561	6.8	2009/4/7
18	JVNDB-2009-000019	Cross-site scripting vulnerability in apricot.php from LovPop.net	2,525	4.3	2009/4/16
19	JVNDB-2009-000017	XOOPS Cube Legacy cross-site scripting vulnerability	2,471	4.3	2009/4/2
20	JVNDB-2009-000016	Access Analyzer CGI Professional Version vulnerability allows third party to gain administrative privileges	2,445	7.5	2009/3/31

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score =0.0～3.9	CVSS Base Score =4.0～6.9	CVSS Base Score =7.0～10.0
Severity Level =Low	Severity Level =Medium	Severity Level =High

Note 2) Color Code for Published Date

Published in 2007

Published in 2008

Published in 2009

2. Summary of 2010 1Q

2.1 Many well-known vulnerabilities still reported

CWE^(*6) is a hierarchically structured list of weakness types to help identifying software vulnerabilities.  CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 2 illustrates the number of vulnerability countermeasure information registered during 1st quarter, sorted by their vulnerability type using CWE.

The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 53 cases, CWE-94 (Code Injection) with 42 cases, CWE-399 (Resource Management Errors) with 32 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 26 cases, CWE-20 (Insufficient Input Validation) with 22 cases, CWE-189 (Numeric Errors) with 22 cases, and CWE-79 (Cross-Site Scripting) with 14 cases.

Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as “How to Secure Your Web Site”^(*7), “How to use SQL Calls to Secure Your Web Site^(*8)” and the “Secure Programming Course”^(*9), to make sure to implement necessary security measures from the planning and design phase of software development.

2.2 Many highly risky vulnerabilities reported

Figure 3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or by other means, like release on the security portal sites. The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2009.

JVN iPedia rates each vulnerability according to the CVSS ^(*4) and publishes its severity level ^(*5).
As of the 1st quarter of 2010 (January - March), 61 percent of the vulnerabilities were labeled level III (“High”, CVSS Base Score = 7.0-10.0), 36 percent were labeled level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 3 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).

Considering the vast number of published vulnerabilities are being labeled with the higher severity levels, it is essential for product users to check vulnerability information on a daily basis, and updates and security patches concerning the product in use should be applied without delay.

2.3 Vulnerability in application software on the rise

Figure 4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.

Publication of vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries. Since many new applications are developed each year and they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially high priority.

As for the operating systems such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerabilities initially had had an increasing trend, but the number dropped off as of 2005. This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.

Around the year 2005, vulnerabilities in embedded software products like intelligent home appliances, such as network devices, cell phones, and DVD recorders, have slowly proceeded to become published.

In addition, around the year 2008, vulnerabilities in Supervisory Control And Data Acquisition (SCADA) systems used in critical infrastructures have been reported as well. 6 vulnerabilities were published in 2008, 9 in 2009 and 2 in 2010 so far, bringing a total reported SCADA vulnerability to 17.

 

2.4 Open Source Software

Figure 5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 34 percent of the vulnerabilities registered are of OSS and 66 percent are of non-OSS. From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.

2.5  Product Vendors

Figure 8 and 9 illustrate the breakdown of software developers (vendors) registered on JVN iPedia, with Figure 6 representing OSS vendors and Figure 7 representing non-OSS vendors.

As shown in Figure 6, the registered OSS vendors consist of 61 domestic vendors, 21 foreign vendors with Japan office, and 219 foreign vendors without office in Japan; cumulative total of 301 OSS vendors. Similarly, as Figure 7 represents, the 205 registered non-OSS vendors consist of 105 domestic vendors, 60 foreign vendors with office in Japan, and 40 foreign vendors without office in Japan.

In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the use of product support services provided by the vendor.

 

3. Most Accessed Vulnerability Countermeasure Information

Table 3 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 1st quarter of 2010. Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, OpenSSL, Apache Tomcat, Lhaplus and Namazu, is still gaining a lot of attention. Among the recently released vulnerability information, OpenPNE, Oracle Application Server and Movable Type also attracted a large number of access counts.

Table 4 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.

Table 3. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2010 � Mar. 2010]

#	ID	Title	Access Count	CVSS Score	Date Public
1	JVNDB-2009-002319	SSL and TLS protocols renegotiation vulnerability (in Japanese)	1,433	6.4	2009/12/14
2	JVNDB-2008-001495	DNS cache poisoning vulnerability in multiple DNS products (in Japanese)	1,333	6.4	2008/7/23
3	JVNDB-2010-000006	OpenPNE authentication bypass vulnerability	1,101	5.8	2010/3/5
4	JVNDB-2010-000004	Oracle Application Server vulnerable to cross-site scripting	1,048	2.6	2010/1/14
5	JVNDB-2009-001911	XML Digital Signature Authentication Bypass Vulnerability (in Japanese)	1,023	5.0	2009/8/20
6	JVNDB-2010-000001	Movable Type access restriction bypass vulnerability	999	5.5	2010/1/6
7	JVNDB-2008-000009	Apache Tomcat fails to properly handle cookie value	948	4.3	2008/2/12
8	JVNDB-2010-000003	WebCalenderC3 vulnerable to directory traversal	874	5.0	2010/1/12
9	JVNDB-2009-000036	Apache Tomcat information disclosure vulnerability	855	4.3	2009/6/18
10	JVNDB-2005-000601	OpenSSL version rollback vulnerability	802	2.6	2007/4/1
11	JVNDB-2008-000022	Lhaplus buffer overflow vulnerability	800	6.8	2008/4/28
12	JVNDB-2007-001017	Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese)	799	4.3	2007/12/20
13	JVNDB-2007-000819	Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap"	779	4.3	2007/12/13
14	JVNDB-2010-000002	WebCalenderC3 cross-site scripting vulnerability	775	4.3	2010/1/12
15	JVNDB-2008-001043	X.Org Foundation X server buffer overflow vulnerability	753	7.4	2008/1/31
16	JVNDB-2008-000018	Namazu cross-site scripting vulnerability	743	4.3	2008/3/21
17	JVNDB-2009-000037	Apache Tomcat denial of service (DoS) vulnerability	742	4.3	2009/6/18
18	JVNDB-2009-000068	Implementations of IPv6 may be vulnerable to denial of service (DoS) attacks	688	5.7	2009/10/26
19	JVNDB-2008-000050	Virus Security and Virus Security ZERO denial of service (DoS) vulnerability	684	4.3	2008/8/12
20	JVNDB-2008-001647	Jasmine WebLink Template Multiple Vulnerabilities	673	7.5	2008/9/10

 

Table 4. Top 5 Most Accessed Vulnerability Countermeasure Information from Domestic Developers [Jan. 2010 � Mar. 2010]

#	ID	Title	Access Count	CVSS Score	Date Public
1	JVNDB-2008-001647	Jasmine WebLink Template Multiple Vulnerabilities	673	7.5	2008/9/10
2	JVNDB-2008-001150	JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems	598	3.6	2008/3/14
3	JVNDB-2008-001313	JP1/Cm2/Network Node Manager Denial of Service Vulnerability	588	5.0	2008/5/9
4	JVNDB-2008-001895	JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability	544	6.5	2008/11/26
5	JVNDB-2009-002358	Fujitsu Interstage and Systemwalker SSL Vulnerabilities	522	5.0	2009/12/25

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score =0.0～3.9	CVSS Base Score =4.0～6.9	CVSS Base Score =7.0～10.0
Severity Level =Low	Severity Level =Medium	Severity Level =High

Note 2) Color Code for Published Date

Published in 2008 and before

Published in 2009

Published in 2010

 

Footnote

(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC. 
http://jvn.jp/en/

(*2)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*3)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4)Common Vulnerability Scoring System (CVSS) Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)

(*5)Transition to the New Version of Vulnerability Severity Scoring System CVSS. CVSS (Common Vulnerability Scoring System). http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)

(*6)Refer to “CWE (Common Weakness Enumeration) Overview”
http://www.ipa.go.jp/security/english/vuln/CWE_en.html

(*7)How to Secure Your Web Site:
http://www.ipa.go.jp/security/vuln/websecurity.html (in Japanese)

(*8)How to use SQL Calls to Secure Your Web Site:
http://www.ipa.go.jp/security/vuln/websecurity.html (in Japanese)

(*9)Secure Programming Course:
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html (in Japanese)

Reference

Contact